If the BIA is successful in delivering these results, then it is a very valuable tool. The sad fact is, most BIAs are less than effective and lack the critical data and analysis necessary to make good DR/BC decisions. A BC professional at a company, or in most cases the consultant that they contract with, would painstakingly attempt to interview executives about their key business processes, financial and operational measurements. Typically, an executive is asked to fill out a questionnaire and then sit through an hour-long interview.
Barrier #1: How many executives do you know would gladly devote the kind of time and energy this exercise requires?
Once the interview is complete, the questionnaire is sent back to the executive for his or her review. While most executives claim that their business processes are extremely vital to the short-term viability of the company, in the majority of cases, they are unable to quantify the financial impacts of this assumption. This is a common issue with BIAs – everybody says their data is critical, yet they find it difficult to quantify data.
Barrier #2: How many executives would willingly say that their business processes are not as important as others within the company?
Let’s assume for now that we do get financial and operational impacts from the executive and we are not, as is often the case, pushed down to the guy that has been at the company for four months and sits in the broom closet. We create a complex spreadsheet that charts the impacts over time and also make some really cool charts like the one below.
That’s all fine and good. However, when we present our results to the chief financial officer (CFO), she questions the accuracy of our figures, then bristles when we state, “We were simply massaging the data that we got from their own managers.”
This puts some concern in the heads of the other executives in the room about the integrity of financial data and operational impacts.
Barrier #3: The BIA implies a certain level of preciseness that is often difficult to obtain, and ultimately impacts the perception of the audience the BIA process.
These are examples of what can happen when a company conducts a business impact analysis. BC professionals are not typically financial analysts and it can be difficult to navigate an interview with an executive to obtain the perfect information about impacts. Nevertheless, the process of data gathering can be invaluable for the disaster recovery coordinator (DRC), enabling the DRC to learn about the company, meet the important executives, inventory critical applications, and align them with business processes. When you think about it, this could be a huge undertaking for many companies. Most medium to large companies have upwards of 50 to 75 business functions and usually 25 to 40 applications that support the enterprise.
I recently spoke to a $10 billion manufacturing company that spent more than $1 million on a BIA that took them more than 12 months to conduct and they still haven’t presented the results to the executive committee. This raises the question: Does it take too long to conduct a formal BIA following the traditional model?
Barrier #4: The sequential nature of a BIA makes for a long project and decreases any momentum that you have for BC initiatives. With the risk that you’re going to spend a lot of time speaking to executives to come up with pretty charts that may ultimately get called into question by executives, maybe it is time to look at an alternative to the BIA?
The BIA Alternative: Criticality Analysis Workshops
With regard to the data gathering process rather than conduct one-on-one interviews that lack objectivity and are time consuming, why not instead invite a handful (no more than six) executives in a room and conduct what I like to call a “criticality analysis workshop.”
During this interactive session, that should be no more than 45 minutes, your goal is to educate a bit, obtain business information, and validate data on applications. With a crisp delivery and a skilled facilitator you can typically get all the information you need to determine what business processes are critical.
I have found that keeping it simple, straightforward and graphical with executives is a key to success. Therefore, I ask that they simply:
- List the business processes in their business unit;
- Assign a priority – immediate, critical, important, vital or deferred – to the process, and;
- Justify the priority using financial, operational or anecdotal impacts.
This method decreases the concern from the executives that they are writing these financial estimates in blood. They are simply providing educated opinions about the criticality of their business processes, nothing more. In addition, during this meeting you’re also gathering information about what applications support those business processes. Scheduling, effort and follow-up are all made easier with this collaborative workshop approach.
An interesting thing occurs when you put multiple executives in a room together. With peers present, executives tend to become more objective about the criticality of their business process and systems. They will interact and discuss, therefore increasing the potential for learning and identifying items (processes, systems, etc.) that many times slip through the cracks in one-on-one meetings. These are all significant benefits to the workshop approach.
The next step in the process is to speak with the IT support staff, again workshop and not one-on-one, to confirm what was communicated by the business units and to determine the following:
- Where does the application reside – data center and server?
- How quickly could the application realistically be recovered today?
- Based on historical information (how many help desk calls are received) what priority would they put on the particular application? Does this align with what the business said?
At the same time you are conducting these workshops it is important to informally assess the risks and threats the business locations are exposed to. This will enable you to measure the risks against the impacts to determine where the company should focus time, effort, and investment. Isn’t this really the goal of the BIA: to determine where and how the company ought to spend the money it has budgeted for business continuity?
When completed with these workshops and meetings, I would strongly suggest that a company create two spreadsheets. The first spreadsheet outlines each business process – its priority, justification, primary contact and associated applications. This spreadsheet should be sorted several different ways – by location, by criticality, and by organization. The second spreadsheet should contain the list of applications along with contact, location, quantity of storage (TB), and current realistic recovery time. These two documents combined can be used on a continual basis in conjunction with the business continuity program. They can be updated, maintained and assisted in long-term decision-making.
While there are many other distinctions between the business impact analysis (BIA) and the criticality analysis (CA), the major reasons why criticality analysis are more effective include:
- Workshops are collaborative and self-validating and educate executives in the process.
- Analysis paralysis disappears because you’re trying to justify priority, not gather detailed impacts.
- Spreadsheets on business process priority and application recovery objectives are used long-term as a part of your overall business continuity program.
- Anecdotal informational about impacts decreases potential for criticism by financial management.
This approach is built on a single basic premise that if you put a group of executives in a room together, they can tell you what processes generate the most revenue, which are highly dependent on technology, and who will scream the loudest when the technology isn’t available. The CA approach simply expands upon that concept. It accomplishes BC objectives faster and more effectively than the BIA process and prevents the initiative from screeching to a halt or falling into a big black hole.
Damian Walch, CISA, MBCI, CISSP, has been in the industry for 13 years, formerly as senior vice president of Comdisco’s Professional Services Organization and now as vice president of consulting with T-Systems. He was recently voted by Consulting Magazine as one of the top 25 consultants of 2003 and is a member of the DRJ Editorial Advisory Board.